1. Scope
This Privacy Policy applies to Zayt websites, applications, APIs, integrations, support channels, and related services. It explains how Zayt collects, uses, shares, and protects information when you use the service or authorize integrations.
Zayt is designed for pharmacies and authorized pharmacy teams. If your organization has a separate written agreement with Zayt, that agreement may include additional privacy and data processing terms.
2. Information We Collect
Account and contact information, such as names, email addresses, phone numbers, organization details, roles, authentication data, billing details, and support communications.
Pharmacy operational information that you submit or authorize Zayt to access, such as locations, normalized drug products, verified package mappings, inventory lots and counts, movements, expiration dates, supplier offers, contract terms, import provenance, reconciliation exceptions, and purchasing estimates.
Patient-free fill activity, limited to an HMAC-pseudonymous external script reference, exact normalized product, quantity, workflow status, location, and operational timestamps. Zayt normalized records are not designed to store patient, prescriber, insurance, directions, diagnosis, address, phone, date-of-birth, or other contact fields.
Approved provider connection information, such as provider and supplier identifiers, authorized source methods, location identifiers, connection status, sync checkpoints, source timestamps, encrypted credentials or source artifacts where required, and non-secret credential hints. Where an approved read-only setup requires them, this may include a customer-provided Rx30 or McKesson username, password, and provider-verification email; those credentials are encrypted and are separate from Gmail authorization.
When a pharmacy owner separately authorizes Gmail, we collect the connected mailbox address and granted scopes; encrypted access and refresh tokens; encrypted Gmail message, thread, and header identifiers; synchronization and watch status; and normalized plain-text messages involving supplier representatives that the pharmacy configured. We also retain encrypted Price Request drafts and redacted delivery, approval, and audit metadata. Attachments, inline files, remote or executable HTML, and unrelated inbox messages are not imported.
Usage, device, and log information, such as IP address, browser type, device information, pages viewed, feature usage, timestamps, diagnostic events, cookie or similar technology identifiers, and security logs.
Barcode and camera scanning is initiated by the user and decoded locally. Zayt does not upload or retain camera frames; normalized identifier evidence and bounded display hints may be retained for inventory and audit workflows.
3. How We Use Information
We use information to provide, maintain, personalize, secure, and improve Zayt; authenticate users; operate approved read-only integrations and validated imports; maintain inventory and movement history; calculate Order Guide, expiration, supplier, and savings estimates; provide analytics and support; process payments; and communicate about the service.
We may also use information to reconcile imports and inventory events, troubleshoot errors, prevent abuse, enforce terms, comply with legal obligations, analyze aggregate service performance, and develop pharmacy inventory and purchasing features.
With a pharmacy owner's separate Gmail authorization, read-only Gmail access is used only to search a bounded recent window for approved provider verification messages and to synchronize conversations involving configured supplier representatives. Send access is used only to transmit the exact Price Request subject and body that an authorized owner or manager reviewed and approved. Zayt does not change Gmail labels, read state, archive state, or drafts, and it does not auto-send follow-ups.
4. Pharmacy Providers and Imports
Rx30, McKesson, and supplier information is accepted only through an approved read-only provider feed or a validated signed import. Provider authorization, applicable agreements, data-use restrictions, and security approvals may limit which sources can be enabled.
Zayt uses normalized provider and import data to support inventory, reconciliation, purchasing estimates, expiration views, and analytics. Zayt does not use these connections to automate portal login, submit orders, prepare live carts, or make medication-substitution decisions. Price Requests is the narrow exception for supplier contact: an owner or manager may send a factual exact-product price inquiry through a separately authorized Gmail mailbox only after approving the exact subject and body. A Price Request is not an order or purchase commitment.
5. Gmail and Price Requests
Gmail access is optional, initiated by a pharmacy owner, and scoped to one location. Immediately before Google consent, Zayt explains the requested permissions and requires confirmation that the mailbox and supplier conversations are procurement-only and do not contain patient, prescriber, claim, insurance, diagnosis, directions, or contact data.
Zayt requests only https://www.googleapis.com/auth/gmail.readonly and https://www.googleapis.com/auth/gmail.send. Read-only access supports recent approved provider-code retrieval and a 90-day initial import, followed by ongoing synchronization, of conversations involving configured supplier representatives. Send access is limited to an exact, human-approved Price Request email. Zayt does not request Gmail metadata, modify, compose, or label scopes.
Provider verification message contents and codes are processed transiently and are not retained. Matching supplier-representative messages may be retained as application-encrypted normalized plain text until Gmail is disconnected. Likely patient-bearing content is quarantined and excluded from Price Request drafting and display. Authorized pharmacy users may view the clear supplier-representative conversation in their location-scoped workspace.
When AI drafting is available, Zayt sends only the Price Request facts and no more than the last six linked, non-quarantined normalized messages, capped at 12,000 characters, to OpenAI as Zayt's contracted AI service provider to produce a suggested draft. This external draft call is enabled only when the required provider data-use and no-training terms are configured. Attachments, Gmail tokens and identifiers, unrelated messages, quarantined content, and patient fields are excluded. Zayt does not use Google user data for advertising, sale, creditworthiness, or training generalized AI models.
Zayt personnel do not access Gmail message content except when necessary for security or legal obligations, or when you give affirmative permission for requested support, and only under least-privilege and audit controls consistent with applicable Google policy.
Disconnecting Gmail stops future synchronization, attempts token revocation, and deletes locally stored Gmail tokens, imported message content and identifiers, and derived draft content. Zayt retains redacted security and audit records, content hashes, and Price Request outcomes when needed for integrity, legal, and business-record purposes. Zayt's use and transfer of information received from Google Workspace APIs adheres to the Google API Services User Data Policy and the Google Workspace API User Data and Developer Policy, including their Limited Use requirements.
6. How We Share Information
We share information with authorized users in your organization, service providers that help us host and operate Zayt, payment processors, security and analytics providers, customer support tools, and professional advisors.
We may exchange the minimum necessary information with approved connected providers to authenticate a read-only feed, validate an import, receive authorized source data, or support a connection that you configure. When you separately authorize Gmail and approve a Price Request, Google processes the OAuth, read, synchronization, and send operations, and the configured supplier representative receives the approved message. Supplier recommendations never authorize Zayt to send an order or purchase commitment.
We may disclose information if required by law, legal process, or government request, or if we believe disclosure is necessary to protect rights, safety, security, prevent fraud or abuse, enforce terms, or complete a merger, acquisition, financing, or sale of assets.
We do not sell personal information.
7. Retention
We retain information for as long as needed to provide the service, maintain business records, comply with legal obligations, resolve disputes, enforce agreements, and preserve security logs.
Current pharmacy operational defaults retain pseudonymous fill events for 90 days, daily aggregates for 24 months, and encrypted raw import content for no more than a seven-day reconciliation window; hashes, provenance, counts, reconciliation state, inventory movements, and audit metadata may follow their applicable retention requirements.
Records from retired agent, review, restaurant, and voice products may remain encrypted and read-only while retention, export, security, legal, or contractual obligations are evaluated or satisfied. Retention does not reactivate those products.
You may request deletion of account or pharmacy data, subject to legal, security, backup, provider, and legitimate business retention requirements. Disconnecting most integrations may stop future syncing but may not automatically delete previously synced operational data. The Gmail Price Requests connection is different: disconnect deletes locally stored tokens and imported or derived mailbox content while retaining only the redacted audit, content-hash, and outcome records described above.
8. Security
Zayt uses reasonable administrative, technical, and organizational safeguards designed to protect information, including access controls and protections for credentials and provider tokens.
No method of transmission or storage is perfectly secure. You are responsible for maintaining secure passwords, devices, administrator permissions, and provider accounts.
9. Your Choices and Rights
You may update account information, manage authorized users, disconnect supported integrations, change supported provider permissions, revoke Zayt from your Google Account permissions, opt out of non-essential communications, and request access, correction, export, or deletion of certain information by contacting Zayt.
Depending on where you live or operate, you may have additional privacy rights under applicable law. We will respond to verified requests as required by applicable law.
10. Cookies and Similar Technologies
Zayt may use cookies, local storage, and similar technologies to keep users signed in, remember preferences, measure service usage, diagnose errors, and protect the service from abuse.
Browser settings may allow you to block or delete cookies, but some service features may not function correctly without them.
11. Children
Zayt is not intended for children under 13, and we do not knowingly collect personal information from children under 13.
12. International Use
Zayt may process information in the United States and other locations where Zayt or its service providers operate. By using the service, you understand that information may be processed outside your location.
13. Changes to This Policy
We may update this Privacy Policy from time to time. The updated version will be posted on this page with a new last updated date, and continued use of the service means the updated policy applies.
Questions about this policy can be sent to hello@zayt.ai.